Add Magic Link (passwordless) login feature

[Sogl]

Summary

This PR adds a Magic Link (passwordless) login feature to the Login plugin, allowing users to sign in via a one-time link sent to their email address — no password required.

Note: This PR is submitted as a draft to invite discussion on the implementation approach before requesting a formal review. Feedback on design decisions, naming conventions, or implementation details is very welcome. cc @rhukster

Dependency: This PR assumes #325 (multipart email support) is merged first, as the plain-text email alternative for the magic login email (magic-login.txt.twig) relies on the multipart sending logic introduced there. If #325 is not merged, the feature works correctly but sends HTML-only emails.

Why

Passwordless login is increasingly common and expected, particularly for sites where users may not remember (or never set) a password — for example, after OAuth registration or admin-created accounts. A magic link is also a more user-friendly alternative to password reset for infrequent visitors.

What changed

Core logic

• login.php — handleMagicLogin(): validates token, TTL, hash, invalidates token before login to prevent race-condition reuse, then runs the standard Login::login() pipeline
• login.php — userLoginAuthenticateByMagic(): onUserLoginAuthenticate listener (priority 10004) that sets AUTHENTICATION_SUCCESS and stops propagation when the magic_link option is set
• login.php — addMagicPage(): serves the magic link request page, respects magic_link.enabled guard
• classes/Login.php — sendMagicLoginEmail(): generates a cryptographically random token, stores its SHA-256 hash + expiry in the user file, sends the email
• classes/Controller.php — taskMagicRequest(): handles the email form submission with IP-level and per-user rate limiting; uses anti-enumeration (neutral response regardless of account existence)

Templates & pages

• pages/magic.md — default request page (email form)
• templates/magic.html.twig — page template
• templates/partials/magic-form.html.twig — the email input form
• templates/partials/login-form.html.twig — added "Login by link" button (only shown when magic_link.enabled: true)
• templates/emails/login/magic-login.html.twig — HTML email template
• templates/emails/login/magic-login.txt.twig — plain-text email template

Configuration

• blueprints.yaml — admin UI settings for the magic link section
• login.yaml — default config values (enabled: false, ttl: 10, rate limiting)

i18n

• languages/en.yaml — all magic link keys
• languages/ru.yaml — Russian translations

Documentation

• README.md — added Magic Link Login section with enabling instructions, flow description, and security notes

Security considerations

• Token is random_bytes(32) — only its SHA-256 hash is stored in the user file
• Token is invalidated before the login pipeline runs (prevents race-condition reuse)
• Links expire after configurable TTL (default: 10 minutes)
• Links are strictly single-use
• Anti-enumeration: the same neutral response is returned whether or not an account exists
• Rate limiting applies per IP and per user account
• remember_me is never set via magic link login
• twofa is respected if enabled

Backward compatibility

• Feature is disabled by default (magic_link.enabled: false)
• No existing behavior is changed when the feature is disabled

[Sogl]

Added one follow-up commit with two fixes:

1. pre-login site.login ACL check now supports access inherited via groups (Flex + legacy users),
2. magic-link requests now detect duplicate emails and fail safely instead of choosing an arbitrary account.